- Issue created by @RgnYLDZ
- π©πͺGermany jurgenhaas Gottmadingen
Thanks for reaching out. However, I'm not sure I can follow you on this. Do you mean that when bad requests are coming in that Drupal reports the IP address of your load balancer (i.e. the proxy) to CrowdSec? Don't think that's the case if the Drupal site is configured correctly. There are reverse proxy settings to be made which allow Drupal to see the real IP address of the user who's making the request, and then that IP address is reported to CrowdSec, not the one of your load balancer. Or am I missing something?
- πΉπ·Turkey Kartagis Istanbul
@jurgenhaas this happens to me as well. We could make a form to enter IPs individually (not ideal, but works) and/or make a button for administrators to exempt them from the ban.
- π©πͺGermany jurgenhaas Gottmadingen
@Kartagis which IPs do you want to put into such a list? As I mentioned in #2, the proxy addresses don't have to be configured there, because if the Drupal site is configured correctly in the first place, Drupal will know the correct IP of the client and ban that one instead of the proxy.
- πΊπΈUnited States websiteworkspace
Many related modules have IP address whitelist entry features.
It is absolutely imperative that this module have an IP address whitelist management feature.
No drupal site builder wants to get IP banned from their own website while working on it.
-
When this module IP banned me, I was fortunately, able to quickly pop into my VPN (generating a fresh IP address) and was then able to remove the erroneous IP ban the drupal IP ban module list. - πΉπ·Turkey Kartagis Istanbul
@jurgenhaas active user's IP could be there.
- π©πͺGermany jurgenhaas Gottmadingen
If anything, this would be called an allowlist. We don't want to use anything black and white.
The original post in this issue was about an issue with reverse proxy IP addresses, which must have been misconfigured; otherwise that wouldn't have happened.
The new use case brought up in #5 is about internal users who should be allowed to request invalid URLs. I can't follow that logic. If something like that happens unintentionally on a website to admins or editors, then something with that site is entirely wrong and should be fixed.
If this happens in a local or a test environment, then it's not recommended to have CrowdSec enabled there. This is a module to protect live sites. In other environments it should be disabled.
- πΊπΈUnited States websiteworkspace
The terms - allow-list - and - ban-list - seem appropriate.